your data and information in the cloud library/mnp/pdf/whitepaper...applications deployed in the...

Your Data and Information in the Cloud

Opportunities, Challenges and Practical Ways for Organizations in Regulated Industries to Reduce Risks

Cloud — from excitement to confusion, this term conjures a range of strong reactions among executives. Cloud technology is one of the most disruptive IT forces since the arrival of the personal computer. And while leaders of enterprises in regulated industries are understandably reticent to leap into new and evolving technologies, cloud technology is becoming essential to operate effectively in the marketplace.

Many organizations are currently using the cloud to store, use, share and preserve data; however, this shared pool of computing resources (networks, servers, storage, applications, services) will ultimately become the dominant IT platform. It offers organizations ever-greater abilities to integrate data, applications and processes across many environments. At the same time, its flexibility allows for a wide range of uses and implementation models. This results in more opportunities to benefit from increased agility, flexibility, efficiency, scalability and resiliency.

By carefully balancing the benefits of the cloud in capturing content and making it quickly findable and accessible — with appropriate safeguards and protection — regulated industry organizations can use cloud technology to support business processes productively and safely.

This white paper shows the path forward.

YOUR DATA AND INFORMATION IN THE CLOUD 2

Cloud

Computing

Cloud isn’t a new term. It originated in the 1960s when cloud symbols were used in flow charts and diagrams to symbolize the Internet network.

Cloud — Metaphor for a global network; now commonly used to represent the Internet

Cloud computing — A delivery model for computing resources in which various servers, applications, data and other resources are integrated and provided as a service over the Internet

Cloud service provider — Company that provides a cloud-based platform, infrastructure, application or storage services; usually for a fee

Cloud storage — A service that lets you store data by transferring it over the Internet or another network to an offsite storage system maintained by a third party

Hardware as a Service (HaaS) / Infrastructure as a Service (IaaS) — A computer environment delivered as a service over the Internet by a provider. Infrastructure can include servers, network equipment and software

Platform as a Service (PaaS) — A computing platform (operating system and other services) delivered as a service over the Internet by a provider

Private cloud — Services offered over the Internet or over a private internal network to select users, not the general public

Public cloud — Services offered over the public Internet and available to anyone who wants to purchase them

Cloud Terms

Cloud Computing Everything and the Kitchen Sink

Code

Mobile

PC

Kitchen Sink

Data Base

App Server


Today, the cloud represents not only a global infrastructure of servers and data centres, but an unprecedented opportunity for enterprise transformation.

Worldwide spending on public cloud services and infrastructure in 2019 is forecast to reach $210 billion¹ — an increase of 23.8 percent over 2018. This is up from less than US$9 billion² only a decade ago. The banking, manufacturing and professional services sectors will each spend more than $20 billion on public cloud services in 2019, accounting for more than one third of the worldwide total.³

In 2019, the largest geographic public cloud markets will be⁴ :

• U.S.: $124.6 billion • China: $10.5 billion • UK: $10.0 billion • Germany: $9.5 billion

In 2018, the world’s 10 largest cloud vendors realized total revenue of almost $120 billion. As new technologies evolve, the field is opening to new players.

Understandably, organizations in regulated industries can be wary; high-profile data privacy and security incidents elevate these concerns. The recent Capital One breach, revealing personal information of more than 100 million people, was perpetrated by a lone hacker. The fallout — financial and other costs — was huge and could continue for years.

Security is top of mind among C-suite executives. Neither cloud nor on-premise data storage is invulnerable to attack. Yet even governments are now utilizing cloud-based platforms. In the U.S., 48 percent of federal and state agencies utilize multiple cloud-based services. For organizations in regulated industries, jumping into the cloud is no longer a big leap.

“Most organizations have adopted the public cloud as a cost-effective platform for hosting enterprise applications and developing and deploying customer-facing solutions. Over the next five years, cloud platforms and ecosystems will serve as the launchpad for an explosion in the scale and pace of digital innovation. The result will be ‘multiplied innovation’ with as many new applications deployed in the cloud as prior generations deployed over the previous four decades.”

Eileen Smith – International Data Corporation

The Current State of Cloud

Vendor 2018 Cloud Revenue

1. Microsoft $32.2B

2. AWS $25.7B

3. IBM $19.2B

4. Salesforce $13.08B

5. Accenture $9.0B

6. SAP $5.6B

7. Oracle $5.3B (est.)

8. Google Cloud $3.4B (est.)

9. Workday $2.8B

10. ServiceNow $2.6B

CLOUD WARS Top Cloud Vendors by Revenue

@bobevansIT

¹ International Data Corporation Worldwide Semi-annual Public Cloud Services Spending Guide² https://www.statista.com/statistics/510350/wor ldwide-public-cloud-computing/³ International Data Corporation Worldwide Semi-annual Public Cloud Services Spending Guide⁴ International Data Corporation Worldwide Semi-annual Public Cloud Services Spending Guide


Increasingly, many IT environments are a mix of onsite, public and private clouds.

Legacy, on-premise systems are characterized by siloed manual resource allocation. They typically lack a consolidated, unified real-time view of business performance and tend to lack scalability and agility. Yet in a 2018 survey, nearly 60 percent of CIOs believe apps that touch critical data and systems must remain on-premises for security reasons and 42 percent say legacy systems are mission-critical.

Public clouds offer the advantages of significantly lower costs, with shared infrastructure and a highly flexible, pay-per-use model. In particular, large providers have the scale to offer state-of-the-art technology, facilities, safeguards and security that are beyond the ability of most individual companies to maintain. On the downside, they are multi-tenant and diminish an organization’s control. But as large providers improve infrastructure and technology, many of the drawbacks are being addressed.

Private clouds that are accessible to only a single organization are often used where there are concerns related to intellectual property, regulations, compliance and security. They provide greater control than public clouds, but the owner organization must manage all of its own security and performance.

Multi-cloud platforms offer numerous advantages: services from multiple providers eliminate single points of failure in business-critical processes, functioning as an insurance policy against disasters and data loss. A multi-cloud platform also allows organizations to closely match specific workload or application requirements. This year, a survey of IT professionals regarding their adoption of cloud technologies indicated that 84 percent have a multi-cloud strategy.

Hybrid mix of private and public cloud services, and sometimes traditional onsite infrastructure, is used by many organizations to balance benefits and risks based on economics, location and governance requirements.

Hybrid and Multi-Cloud Strategies Dominate

As organizations embrace cloud usage, more will rely on cloud service brokers to assist with aggregating, integrating and customizing cloud services among various providers.

31%Public Cloud

Hybrid Cloud

Public and private are equal priority

On-premise private cloud

Hosted private cloud

28%

17%

9%

6%

Top Cloud Priority for Enterprises

Source: RightScale 2019 State of the Cloud Report from Flexera


Global Jurisdictions Impacting Cloud Information Security

As jurisdictions around the world focus on strengthening local competitiveness while protecting personal information, organizations must have a complete understanding and supervision of their cloud footprint — or risk significant regulatory repercussions.

For example, in 2015 the Digital Privacy Act became law in Canada, amending the federal privacy law, Personal Information and Protection of Electronic Documents Act (PIPEDA), to include mandatory breach notification requirements. In 2018 PIPEDA was amended to include new rules requiring businesses to notify the federal Office of the Privacy Commissioner and any individuals affected by a security breach that gives rise to “real risk of significant harm.” Failure to do so can result in severe fines.

The same year, the European Union’s General Data Protection Regulation (GDPR) came into effect. This increases complexity related to where organizations should transmit and store data because the GDPR has extraterritorial reach. It applies to companies collecting or using the personal information of EU residents, even if processing occurs outside the EU.

Under the US Patriot Act and the more recent US Cloud Act, when a cloud provider is a U.S. company, any data it keeps — whether inside or outside U.S. borders — is susceptible to possible U.S. government search or seizure. This applies, for example, to Google and Microsoft.

More Legislation Focusing on Cloud

There is a constant flow of new legislation specifically targeting cloud. The Government of Canada is creating a Canadian public sector community cloud (CPSCC) representing a compliance framework for commercially available public cloud offerings. This comprises public cloud services that have security controls accredited by the government and that are made available to all Canadian public sector organizations through a marketplace.

Industry Groups are Developing Cloud Standards

Vertical industry groups are beginning to develop cloud standards. For example, the Telemanagement Forum representing cable and network operators, software suppliers, equipment suppliers and systems integrators, is developing a telecom initiative for cloud computing.

The Association for Retail Technology Standards (ARTS) is developing an open environment where retailers and technology vendors can work together to create international retail technology standards.

New Cloud Industry Groups are Devising Standards and Best Practices

Growing numbers of cloud industry groups are developing standards and best practices to ensure providers and equipment work together, securely. Examples include:

• Cloud Computing Interoperability Forum• Cloud Security Alliance• National Institute of Standards and Technology• Open Cloud Consortium• Open Grid Forum

Regulation Plays an Integral Role in Cloud Sector Development


With appropriate due diligence and risk mitigation strategies, leveraging the cloud to optimize data use can offer unparalleled advantages for financial services and other regulated enterprises.

Cost Savings and Predictability

When a company rents hard drive space from a public cloud service provider, costs shift from capital expenditures to operating expenses. Hardware and repair are the responsibility of the service provider, IT maintenance costs are reduced and customers benefit from economies of scale by sharing cloud costs. However, traffic to / from the cloud needs to be estimated carefully, as charges for transmission of data / workloads to the cloud (unless everything is in the cloud) are often underestimated by clients.

Stronger Employee Performance

Since cloud works across locations, devices and organizational boundaries, it enhances employee productivity in numerous ways. Provided applications and data stores are configured for real-time access, workers have immediate access to data and applications, which facilitates work, communication and collaboration.

Enhanced Security

As organizations face increasingly complex data security risks, many cloud providers are responding with advanced security features that can be customized to operations. End-to-end encryption, 24-7 monitoring and remote wiping of lost and stolen devices are standard among service providers. A Salesforce report indicated 94 percent of businesses reported significant improvements in online security after moving their data to the cloud and 91 percent indicated that cloud technology supports their government compliance requirements.

More Green Initiatives

Going to the cloud also reduces the footprint of data and information management activities.

By retaining and managing less information, organizations reduce infrastructure needs and costs. They can use those savings to fund green initiatives.

Cloud Advantages


Costs

Like any technology, the costs and benefits of cloud applications, storage and infrastructure need to be understood prior to moving forward. Based on the business intent and requirement, several factor may cause cloud costs to be significantly more expensive than the on-premise, including the planning horizon and the actual use of applications, storage and infrastructure. These costs may have been less visible previously as they were typically categorized as capital expenditures, rather than operational expenses. As a result, organizations must take a longer term view and carefully profile their application, storage and infrastructure needs.

Complexity

Cloud providers deliver tremendous commercial offerings. However, navigating these options is complex given the unique requirements of different organizations. As a result, most organizations replicate their existing IT information, application and technology infrastructure within a cloud provider’s infrastructure, leading to excessive costs.

A better option would be to consider your entire IT environment and identify areas that would provide a positive business case to move to the cloud — then stage the migration of storage, applications or infrastructure to the cloud.

Security

Previously, many organizations viewed a ‘no-cloud’ policy as a way to protect data and information privacy and security, similar to how they used ‘no-internet’ policies in the past. However, the business benefits of using the cloud are so compelling, adoption has grown and is expected to continue growing across all industries and sectors.

Cloud providers can and do provide world-class security safeguards that are maintained as an operational necessity for their infrastructure. However, organizations need to be aware of not only the security safeguards (e.g. encryption, etc.) in place, but also the legal (and privacy) implications for both location of the data and how it was transported there.

Cloud Challenges


Organizations in regulated industries can address numerous business challenges through strategic cloud use in the following domains:

Data Security

With more data moving to the cloud, including intellectual property, personal and mission-critical information, maintaining its integrity is crucial.

As cyberattackers increasingly target financial institutions, utilities and government entities, organizational leaders are naturally hesitant to leap into cyberspace. These entities are already subject to strict guidelines regarding the treatment of sensitive data. Leaders are understandably concerned about regulatory compliance related to placing sensitive data on a public cloud and relinquishing control of that data to a third party.

Yet only a small minority of security incidents impacting organizations using the cloud have been due to provider vulnerabilities. Today, cloud security is generally far superior to what is available for aging servers, networks and infrastructure.

Still, it is critical to understand it is the responsibility of individual enterprises to establish secure and regulatory-compliant cloud use by implementing and enforcing clear policies and controls on use and responsibilities. Adopting a strategic, risk-based approach to cloud use can safeguard information assets.

Cloud Providers Prioritize Cyber Resilience

Within an environment of constant cyber threats, public cloud providers are developing sophisticated and targeted threat-deterrent tools.

For example, Microsoft, which runs dozens of cloud services around the world, launched a new cybersecurity program specifically for power and utilities companies in 2017. Focused on cyber analytics, the cloud program provides utility customers with “global malicious site and threat actor intelligence for greater visibility into the current security state of their networks.” It is intended to address the growing threat of cyber breaches as operational technology systems of suppliers of critical infrastructure become increasingly intertwined with more business systems.

Cyber resilience is now essential and cloud providers are responding with an ever-stronger focus on cyber monitoring, detection and response.

Cloud can Address Key Business Challenges


Data Visibility and Access

Data visibility is essential both for security and for operational performance. Legacy systems and siloed databases across lines of business can make it difficult to see, access and protect data. Old, non-integrated systems cannot deliver visibility.

Insufficient visibility can be a serious disadvantage by:

• Hindering the ability of leadership to access current, complete data • Denying customers access to real-time, seamless information• Preventing employees from working together easily and productively • Restricting rapid response to security threats

Good data visibility is key — and the virtual infrastructure of cloud-based services typically provide greater visibility than on-premise systems. Cloud service providers are continually developing increasingly sophisticated tools that provide full visibility, as well as analytics, control and responsiveness in multi-cloud environments.

High Technology Costs

Information technology infrastructure is expensive: equipment, systems, labour, maintenance, upgrades… the list goes on — particularly if an organization is repurposing legacy technologies.

Utilizing cloud providers addresses this issue on several levels. First, customers rent rather than buy. This shifts IT from a capital expense to an operating expense. Contracts with cloud service providers typically include the costs of system upgrades, new hardware and software. These suppliers are also responsible for capacity planning, administration, maintenance, troubleshooting and backup.

Cloud also offers scalability. Customers only pay for what is used and as an organization’s needs change, cloud services and tools can rapidly up or downscale.


While utilizing cloud-based systems can address issues of privacy, security, visibility and costs, migrating legacy information databases can seem like a daunting task — with so many different components and ways of interacting. There are challenging decisions about consolidation, standardization and regulations.

IBM case studies indicate effective cloud strategies can reduce infrastructure and software application costs at banks by 40 percent. However, many regulated organizations have been hesitant to fully embrace the cloud because some regulators have yet to set out clear guidelines around its use.

The adoption of cloud technologies by regulators is expected to ramp up as they strive to propel innovation. In fact, the regulators themselves are getting on board with cloud. In the U.S., the Financial Industry Regulatory Authority (FINRA) recently moved a key part of its technology infrastructure to Amazon Web Services to enhance data validation efficiency.

When transitioning data infrastructure to the cloud, the following best practices will enable enterprises in regulated industries to navigate these complexities and chart a path that will achieve goals while mitigating risks.

Define Expected Business Gains

Start by building a business case for the return on investment of a cloud transition strategy. Define the business outcomes sought and how cloud technology can achieve these. This provides an opportunity to rethink — and improve — architecture and workflows. Consider how shifting into a cloud-based platform might accelerate productivity, increase functionality, reduce costs and improve customer experience.

Inventory Information Assets

Capture a full inventory of information assets to fully understand the impact, risk and cost associated with potentially moving each component to the cloud. This requires assessing the dependencies of data assets, supporting applications, users and the potential impact to users and trends in the use of these assets.

After determining the assets that could potentially be migrated, compare logistics and costs of shifting to the cloud versus retaining on-premises. Gartner’s Three Rings of Information Governance Model can help with categorizing and prioritizing data to improve business outcomes.

Using three (or more) concentric rings, the model categorizes the most critical (or master) data in the inner ring, shared application data and information in the next ring, followed by single application data in the last ring of the model. It will also reveal opportunities for eliminating resources that have limited future value.

Best Practices for Successful Cloud Transition


Incorporate Data and Information Privacy Considerations

Given the nature of the cloud as ‘someone else’s hard drive’, it is critical to address the regulatory, privacy and security challenges raised by cloud computing by:

• Understanding jurisdictional privacy laws based on where your data and information are stored — Under cloud computing frameworks, data is often processed or stored in multiple jurisdictions, creating overlapping jurisdictions for your organization.

• Knowing how your cloud provider will protect your data and information — Given the privacy laws of multiple jurisdictions, organizations need to ensure the appropriate technical and administrative controls are in place to protect their data.

• Exploring different encryption technologies and tools to ensure the privacy of your data and information — Appropriate encryption approaches may provide the necessary safeguards to protect data in files, databases and applications to render it unreadable and useless to cybercriminals.

Devise a Comprehensive Security Model for Information Assets

It’s not the security of the cloud itself, but the policies related to control of the technology that present cloud security challenges.

A strong security model is essential; one that encompasses the following key components:

• Understand the level of protection needed for each information asset • Determine what is at risk and how much risk you are willing to assume• Establish appropriate controls• Devise appropriate metrics• Ensure safeguards are in place for backup and recovery• Ensure compliance with industry regulations• Educate information users about security guidelines• Continually assess and address risks

To fully protect the confidentiality, integrity and availability of information assets, a well-structured plan addresses people, processes and technology.

Develop a Strong Governance Framework

A cloud governance framework (i.e. the policies, standards and processes involved in planning, acquiring, deploying, operating, managing and securing cloud technologies) establishes the groundwork for smooth cloud implementation. Strong governance for organizations in regulated industries is essential since regulations require strict control over the flow of data, such as personally identifiable information.

Changing technology platforms introduces risk. Roles, responsibilities and processes are impacted when shifting to cloud-based platforms. Strong cloud governance should provide the guidance an organization needs to navigate these risks and efficiently operate cloud services. Organizations need strong data governance frameworks — and cloud technology governance frameworks must support and sustain these.

When moving assets to a public cloud, it’s necessary to clearly understand what governance and security the vendor provides and what responsibilities must be assumed by the customer.


Create a Detailed Cloud Migration Roadmap and Change Management Strategy

A cloud implementation strategy must ensure the protection of migrating information assets, as well as successful adoption by users. Having clear plans and a roadmap in place enables organizational leaders to identify the necessary decisions, areas that require resources and challenges that must be addressed. Following are key considerations to accomplish this.

Capture baseline metrics and establish cloud migration key performance indicators.

Key performance indicators (KPIs) enable you to identify problems during migration and to measure success. KPIs such as response times, availability and conversion rates can measure engagement, performance and user experience.

Create a data migration roadmap.

Beginning with a data quality assessment eliminates unnecessary costs associated with migrating poor data. Once you’ve identified which data to migrate, determine how and when to move each asset to the cloud. Some cloud suppliers provide migration services. There are also independent cloud migration service providers that offer support ranging from high-level planning to training and execution.

Establish migration timeframes and responsibilities and identify risks that must be avoided. Also determine how to maintain data integrity and operational continuity during migration.

Implement a change management strategy.

The cloud is transformational and employees must be prepared. This requires understanding how the work has changed and educating and training staff to understand changes to processes, technology and the impact on their work.


As the cloud grows and matures, vendors will continue to innovate, differentiate and improve their offerings. The impact will be transformative.

Forward-thinking institutions in regulated industries can now take advantage of new, secure technologies to meet strict compliance standards while providing customers and other stakeholders with fast, convenient and secure access to information. The only way to fully reap the benefits of the cloud — agility, savings, efficiency, speed, flexibility, scalability, resiliency — is to move your organization into the cloud.

About MNP

MNP is a leading national accounting, tax and business consulting firm in Canada. We proudly serve and respond to the needs of our clients in the public, private and not-for-profit sectors. Through partner-led engagements, we provide a collaborative, cost-effective approach to doing business and personalized strategies to help organizations succeed across the country and around the world.

Contact: Sean Murphy FCMC, CPA, CMA, PMP, CMC National Digital Services Leader | Regional Managing Partner, Consulting T: 613.691.8503 E: [email protected]

How MNP Can Help

MNP’s Consulting and Technology Services teams work with financial institutions and other organizations in regulated industries, government entities and private enterprises across the country to transform technology opportunities into meaningful results.

We provide extensive support with cloud transformation — from planning to execution and measurement.

• Cloud migration feasibility• Data / information asset and risk assessment• Data / information governance strategy• Privacy impact assessment• Vendor due diligence• Cloud migration plans• Change management plans• Incident response, recovery, mitigation

Let’s have a conversation about the opportunities, the concerns and the practical ways we can help your organization enjoy the unparalleled advantages of the cloud.

Time to Move up into the Cloud
